Qilin

Threat Actor Profile Updated 2 days ago
Download STIX
Preview STIX
Qilin, a notable threat actor in the cybersecurity landscape, has been significantly active over the last two years, compromising more than 150 organizations across 25 countries and various industries. Originally evolving from the Agenda ransomware written in Go, Qilin has since transitioned to Rust, reflecting a shift towards more robust and efficient malware construction. Identified in July 2022, Qilin gained notoriety for offering Ransomware-as-a-Service (RaaS) on underground forums, starting in February 2023. The group represents a significant threat, continually adapting through RaaS partnerships, exploiting vulnerabilities to extract credentials, spreading laterally across networks using tools like PsExec and VMware vCenter. The Qilin ransomware group has claimed responsibility for several high-profile cyber attacks, including an attack on Yanfeng Automotive Interiors, one of the world's largest automotive parts suppliers. Furthermore, the group recently targeted the healthcare sector with a $50 million ransom demand. Qilin excels in defense evasion, systematically deleting system logs and using PowerShell commands to erase traces of its activities. For execution, Qilin typically places a malicious file in a specific directory, requiring a password to run, which is hashed to match its configuration data. Group-IB researchers have published detailed insights into Qilin’s tactics, starting with methods to gain initial access. The business is thriving for affiliates of the Qilin ransomware-as-a-service (RaaS) group, posing significant challenges for global cybersecurity efforts. The group's ability to adapt and evolve their techniques, coupled with their aggressive targeting of major industries, underscores the urgent need for robust defenses and proactive measures against such threat actors.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Octo Tempest
2
Octo Tempest, also known as Scattered Spider, is a financially motivated threat actor known for launching extensive campaigns featuring adversary-in-the-middle (AiTM) techniques, social engineering, and SIM-swapping capabilities. This native English-speaking collective has evolved to become a signif
Water Galura
1
None
Phobos
1
Phobos is a type of malware, specifically a ransomware, that has been a significant cause for concern in the cyber security world. This malicious software infiltrates systems through dubious downloads, emails, or websites and can cause severe damage by stealing personal information, disrupting opera
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
RaaS
Extortion
Linux
Ransom
Data Leak
Phishing
Encryption
Nhs
Esxi
Rust
Cybercrime
Vmware
Ransomware P...
Esxiargs
PowerShell
Exploits
Credentials
Encrypt
Telegram
Microsoft
Symantec
Exploit
Evasive
Windows
Malicious File
Vcenter
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
LockbitUnspecified
3
LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It can enter your system through various channels such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
Black BastaUnspecified
2
Black Basta is a notorious malware entity known for its devastating ransomware attacks. First emerging in June 2022, the group has since been associated with a series of high-profile cyber-attacks worldwide. This malware, like others, infiltrates systems through suspicious downloads, emails, or webs
HiveUnspecified
2
Hive is a malicious software, or malware, that infiltrates systems to exploit and damage them. This malware has been associated with Volt Typhoon, who exfiltrated NTDS.dit and SYSTEM registry hive to crack passwords offline. The Hive operation was primarily involved in port scanning, credential thef
BabukUnspecified
1
Babuk is a type of malware, specifically ransomware, which is designed to infiltrate systems and hold data hostage for ransom. It can be delivered through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, Babuk can disrupt operations and steal perso
MontiUnspecified
1
The Monti group, a malicious cyber entity, has been active since June 2022, shortly after the Conti ransomware gang shut down its operations. The group is known for its malware, Monti, which is a particularly harmful program designed to exploit and damage computer systems. It infiltrates systems thr
HELLOKITTYUnspecified
1
HelloKitty is a malicious software (malware) that has been designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold dat
NokoyawaUnspecified
1
Nokoyawa is a notorious malware, particularly known for its ransomware capabilities. It has been associated with various other malicious software including Quantum, Royal, BlackBasta, Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoader, AresLoader, LummaC2, Vidar, Gozi, Cany
SnatchUnspecified
1
Snatch is a type of malware, specifically ransomware, designed to infiltrate systems undetected, often through suspicious downloads, emails, or websites. Once inside the system, it can wreak havoc by stealing personal information, disrupting operations, or holding data hostage for ransom. The Snatch
FarnetworkUnspecified
1
Farnetwork, a notorious malware operator identified by cybersecurity researchers from Group-IB, has been active in the cybercrime scene since 2019. Known for deploying five different strains of ransomware, including its proprietary strain Nokoyawa, Farnetwork has collaborated with other cybercrimina
RTM LockerUnspecified
1
RTM Locker is a recently emerged ransomware that targets enterprise systems, specifically Linux virtual machines on VMware ESXi servers. This malicious software was developed from the leaked source code of the now-defunct Babuk ransomware, which was made public by an alleged member of the Babuk grou
AkiraUnspecified
1
Akira is a malicious software, or malware, specifically a type of ransomware known for its disruptive and damaging effects. First surfacing in late 2023, it has continued to wreak havoc on various entities, including corporations and industries. This ransomware infects systems through suspicious dow
ClopUnspecified
1
Clop is a notorious malware, short for malicious software, known for its disruptive and damaging effects on computer systems. It primarily infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Clop can steal personal information, disrupt o
BlackbastaUnspecified
1
BlackBasta is a malicious software (malware) known for its disruptive and damaging effects on computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even ho
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BianlianUnspecified
2
BianLian is a threat actor that has been increasingly active in cybercrimes. The group is known for its malicious activities, including the execution of actions with harmful intent. In a series of recent events, BianLian has exploited vulnerabilities in JetBrains TeamCity, a continuous integration a
AlphvUnspecified
2
AlphV, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. This group has been involved in numerous high-profile attacks, including stealing 5TB of data from Morrison Community Hospital and compromising Clarion, a global manufacturer of audio and video equipment for car
Scattered SpiderUnspecified
2
Scattered Spider is a prominent threat actor group involved in cybercrime activities with malicious intent. The group employs various tactics to compromise its targets, including phishing for login credentials, searching SharePoint repositories for sensitive information, and exploiting infrastructur
RansomhubUnspecified
2
RansomHub, a threat actor known for executing actions with malicious intent, has recently been linked to several high-profile cyber-attacks. The group is recognized for its ransomware attacks, which have resulted in significant data breaches at multiple companies. Christie, a prominent organization,
Vice SocietyUnspecified
1
Vice Society, a threat actor group known for its malicious activities, has been linked to a series of ransomware attacks targeting various sectors, most notably education and healthcare. Throughout 2022 and the first half of 2023, Vice Society, along with Royal Ransomware, were actively executing mu
SnakeUnspecified
1
Snake, also known as EKANS, is a significant threat actor that has been active since at least 2004, with its activities potentially dating back to the late 1990s. This group, which may have ties to Iran, targets diplomatic and government organizations as well as private businesses across various reg
UNC3944Unspecified
1
UNC3944, also known as Scattered Spider and 0ktapus, is a financially motivated threat actor that has been active since 2021. Initially targeting telecommunication firms and tech companies, the group has expanded its range to include hospitality, retail, media, and financial services sectors. The gr
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2024-38112Unspecified
1
None
Source Document References
Information about the Qilin Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
2 days ago
Security Affairs Malware Newsletter - Round 3
Securityaffairs
2 days ago
Security Affairs newsletter Round 481 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
2 days ago
Security Affairs Malware Newsletter - Round 3
Securityaffairs
2 days ago
Security Affairs newsletter Round 481 by Pierluigi Paganini – INTERNATIONAL EDITION
InfoSecurity-magazine
6 days ago
Qilin Ransomware’s Sophisticated Tactics Unveiled By Experts
Securityaffairs
6 days ago
Octo Tempest group adds RansomHub and Qilin ransomware to its arsenal
DARKReading
7 days ago
Microsoft: Scattered Spider Widens Web With RansomHub & Qilin
InfoSecurity-magazine
12 days ago
Ransomware Surges Annually Despite Law Enforcement Takedowns
InfoSecurity-magazine
21 days ago
Ransomware Attack Demands Reach a Staggering $5.2m in 2024
BankInfoSecurity
a month ago
As Britain's NHS Faces Data Leak, Never Normalize Ransomware
BankInfoSecurity
a month ago
Qilin Ransomware Group Leaks NHS Data
InfoSecurity-magazine
a month ago
Synnovis Attackers Publish NHS Patient Data Online
BankInfoSecurity
a month ago
UK Pathology Lab Ransomware Attackers Demanded $50 Million
InfoSecurity-magazine
a month ago
London Ransomware Attack Led to 1500 Cancelled Ops and Appointments
Securityaffairs
a month ago
London hospitals canceled over 800 operations in the week after Synnovis ransomware attack
Securityaffairs
a month ago
UK NHS call for O-type blood donations following ransomware attack on London hospitals
Checkpoint
a month ago
10th June – Threat Intelligence Report - Check Point Research
BankInfoSecurity
a month ago
London Hospitals Seek Biologics Backup After Ransomware Hit
InfoSecurity-magazine
a month ago
NHS Appeals For Blood and Volunteers After Cyber-Attack
BankInfoSecurity
2 months ago
Qilin RaaS Group Believed to Be Behind Synnovis, NHS Attack